<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
                      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
    <meta http-equiv="content-type" content="text/html; charset=UTF-8"/>
    <title>Refining Access Controls - Zend Framework Manual</title>

    <link href="../css/shCore.css" rel="stylesheet" type="text/css" />
    <link href="../css/shThemeDefault.css" rel="stylesheet" type="text/css" />
    <link href="../css/styles.css" media="all" rel="stylesheet" type="text/css" />
</head>
<body>
<h1>Zend Framework</h1>
<h2>Programmer's Reference Guide</h2>
<ul>
    <li><a href="../en/zend.acl.refining.html">Inglês (English)</a></li>
    <li><a href="../pt-br/zend.acl.refining.html">Português Brasileiro (Brazilian Portuguese)</a></li>
</ul>
<table width="100%">
    <tr valign="top">
        <td width="85%">
            <table width="100%">
                <tr>
                    <td width="25%" style="text-align: left;">
                    <a href="zend.acl.introduction.html">Introduction</a>
                    </td>

                    <td width="50%" style="text-align: center;">
                        <div class="up"><span class="up"><a href="zend.acl.html">Zend_Acl</a></span><br />
                        <span class="home"><a href="manual.html">Programmer's Reference Guide</a></span></div>
                    </td>

                    <td width="25%" style="text-align: right;">
                        <div class="next" style="text-align: right; float: right;"><a href="zend.acl.advanced.html">Advanced Usage</a></div>
                    </td>
                </tr>
            </table>
<hr />
<div id="zend.acl.refining" class="section"><div class="info"><h1 class="title">Refining Access Controls</h1></div>
    

    <div class="section" id="zend.acl.refining.precise"><div class="info"><h1 class="title">Precise Access Controls</h1></div>
        

        <p class="para">
            The basic <acronym class="acronym">ACL</acronym> as defined in the
            <a href="zend.acl.introduction.html" class="link">previous section</a> shows how various
            privileges may be allowed upon the entire <acronym class="acronym">ACL</acronym> (all resources). In
            practice, however, access controls tend to have exceptions and varying degrees of
            complexity. <span class="classname">Zend_Acl</span> allows to you accomplish these refinements
            in a straightforward and flexible manner.
        </p>

        <p class="para">
            For the example <acronym class="acronym">CMS</acronym>, it has been determined that whilst the &#039;staff&#039;
            group covers the needs of the vast majority of users, there is a need for a new
            &#039;marketing&#039; group that requires access to the newsletter and latest news in the
            <acronym class="acronym">CMS</acronym>. The group is fairly self-sufficient and will have the ability
            to publish and archive both newsletters and the latest news.
        </p>

        <p class="para">
            In addition, it has also been requested that the &#039;staff&#039; group be allowed to view news
            stories but not to revise the latest news. Finally, it should be impossible for anyone
            (administrators included) to archive any &#039;announcement&#039; news stories since they only
            have a lifespan of 1-2 days.
        </p>

        <p class="para">
            First we revise the role registry to reflect these changes. We have determined that the
            &#039;marketing&#039; group has the same basic permissions as &#039;staff&#039;, so we define &#039;marketing&#039;
            in such a way that it inherits permissions from &#039;staff&#039;:
        </p>

        <pre class="programlisting brush: php">
// The new marketing group inherits permissions from staff
$acl-&gt;addRole(new Zend_Acl_Role(&#039;marketing&#039;), &#039;staff&#039;);
</pre>


        <p class="para">
            Next, note that the above access controls refer to specific resources (e.g.,
            &quot;newsletter&quot;, &quot;latest news&quot;, &quot;announcement news&quot;). Now we add these resources:
        </p>

        <pre class="programlisting brush: php">
// Create Resources for the rules

// newsletter
$acl-&gt;addResource(new Zend_Acl_Resource(&#039;newsletter&#039;));

// news
$acl-&gt;addResource(new Zend_Acl_Resource(&#039;news&#039;));

// latest news
$acl-&gt;addResource(new Zend_Acl_Resource(&#039;latest&#039;), &#039;news&#039;);

// announcement news
$acl-&gt;addResource(new Zend_Acl_Resource(&#039;announcement&#039;), &#039;news&#039;);
</pre>


        <p class="para">
            Then it is simply a matter of defining these more specific rules on the target areas of
            the <acronym class="acronym">ACL</acronym>:
        </p>

        <pre class="programlisting brush: php">
// Marketing must be able to publish and archive newsletters and the
// latest news
$acl-&gt;allow(&#039;marketing&#039;,
            array(&#039;newsletter&#039;, &#039;latest&#039;),
            array(&#039;publish&#039;, &#039;archive&#039;));

// Staff (and marketing, by inheritance), are denied permission to
// revise the latest news
$acl-&gt;deny(&#039;staff&#039;, &#039;latest&#039;, &#039;revise&#039;);

// Everyone (including administrators) are denied permission to
// archive news announcements
$acl-&gt;deny(null, &#039;announcement&#039;, &#039;archive&#039;);
</pre>


        <p class="para">
            We can now query the <acronym class="acronym">ACL</acronym> with respect to the latest changes:
        </p>

        <pre class="programlisting brush: php">
echo $acl-&gt;isAllowed(&#039;staff&#039;, &#039;newsletter&#039;, &#039;publish&#039;) ?
     &quot;allowed&quot; : &quot;denied&quot;;
// denied

echo $acl-&gt;isAllowed(&#039;marketing&#039;, &#039;newsletter&#039;, &#039;publish&#039;) ?
     &quot;allowed&quot; : &quot;denied&quot;;
// allowed

echo $acl-&gt;isAllowed(&#039;staff&#039;, &#039;latest&#039;, &#039;publish&#039;) ?
     &quot;allowed&quot; : &quot;denied&quot;;
// denied

echo $acl-&gt;isAllowed(&#039;marketing&#039;, &#039;latest&#039;, &#039;publish&#039;) ?
     &quot;allowed&quot; : &quot;denied&quot;;
// allowed

echo $acl-&gt;isAllowed(&#039;marketing&#039;, &#039;latest&#039;, &#039;archive&#039;) ?
     &quot;allowed&quot; : &quot;denied&quot;;
// allowed

echo $acl-&gt;isAllowed(&#039;marketing&#039;, &#039;latest&#039;, &#039;revise&#039;) ?
     &quot;allowed&quot; : &quot;denied&quot;;
// denied

echo $acl-&gt;isAllowed(&#039;editor&#039;, &#039;announcement&#039;, &#039;archive&#039;) ?
     &quot;allowed&quot; : &quot;denied&quot;;
// denied

echo $acl-&gt;isAllowed(&#039;administrator&#039;, &#039;announcement&#039;, &#039;archive&#039;) ?
     &quot;allowed&quot; : &quot;denied&quot;;
// denied
</pre>

    </div>

    <div class="section" id="zend.acl.refining.removing"><div class="info"><h1 class="title">Removing Access Controls</h1></div>
        

        <p class="para">
            To remove one or more access rules from the <acronym class="acronym">ACL</acronym>, simply use the
            available  <span class="methodname">removeAllow()</span> or
             <span class="methodname">removeDeny()</span> methods. As with  <span class="methodname">allow()</span>
            and  <span class="methodname">deny()</span>, you may provide a <b><tt>NULL</tt></b> value
            to indicate application to all roles, resources, and/or privileges:
        </p>

        <pre class="programlisting brush: php">
// Remove the denial of revising latest news to staff (and marketing,
// by inheritance)
$acl-&gt;removeDeny(&#039;staff&#039;, &#039;latest&#039;, &#039;revise&#039;);

echo $acl-&gt;isAllowed(&#039;marketing&#039;, &#039;latest&#039;, &#039;revise&#039;) ?
     &quot;allowed&quot; : &quot;denied&quot;;
// allowed

// Remove the allowance of publishing and archiving newsletters to
// marketing
$acl-&gt;removeAllow(&#039;marketing&#039;,
                  &#039;newsletter&#039;,
                  array(&#039;publish&#039;, &#039;archive&#039;));

echo $acl-&gt;isAllowed(&#039;marketing&#039;, &#039;newsletter&#039;, &#039;publish&#039;) ?
     &quot;allowed&quot; : &quot;denied&quot;;
// denied

echo $acl-&gt;isAllowed(&#039;marketing&#039;, &#039;newsletter&#039;, &#039;archive&#039;) ?
     &quot;allowed&quot; : &quot;denied&quot;;
// denied
</pre>


        <p class="para">
            Privileges may be modified incrementally as indicated above, but a
            <b><tt>NULL</tt></b> value for the privileges overrides such incremental changes:
        </p>

        <pre class="programlisting brush: php">
// Allow marketing all permissions upon the latest news
$acl-&gt;allow(&#039;marketing&#039;, &#039;latest&#039;);

echo $acl-&gt;isAllowed(&#039;marketing&#039;, &#039;latest&#039;, &#039;publish&#039;) ?
     &quot;allowed&quot; : &quot;denied&quot;;
// allowed

echo $acl-&gt;isAllowed(&#039;marketing&#039;, &#039;latest&#039;, &#039;archive&#039;) ?
     &quot;allowed&quot; : &quot;denied&quot;;
// allowed

echo $acl-&gt;isAllowed(&#039;marketing&#039;, &#039;latest&#039;, &#039;anything&#039;) ?
     &quot;allowed&quot; : &quot;denied&quot;;
// allowed
</pre>

    </div>
</div>
        <hr />

            <table width="100%">
                <tr>
                    <td width="25%" style="text-align: left;">
                    <a href="zend.acl.introduction.html">Introduction</a>
                    </td>

                    <td width="50%" style="text-align: center;">
                        <div class="up"><span class="up"><a href="zend.acl.html">Zend_Acl</a></span><br />
                        <span class="home"><a href="manual.html">Programmer's Reference Guide</a></span></div>
                    </td>

                    <td width="25%" style="text-align: right;">
                        <div class="next" style="text-align: right; float: right;"><a href="zend.acl.advanced.html">Advanced Usage</a></div>
                    </td>
                </tr>
            </table>
</td>
        <td style="font-size: smaller;" width="15%"> <style type="text/css">
#leftbar {
	float: left;
	width: 186px;
	padding: 5px;
	font-size: smaller;
}
ul.toc {
	margin: 0px 5px 5px 5px;
	padding: 0px;
}
ul.toc li {
	font-size: 85%;
	margin: 1px 0 1px 1px;
	padding: 1px 0 1px 11px;
	list-style-type: none;
	background-repeat: no-repeat;
	background-position: center left;
}
ul.toc li.header {
	font-size: 115%;
	padding: 5px 0px 5px 11px;
	border-bottom: 1px solid #cccccc;
	margin-bottom: 5px;
}
ul.toc li.active {
	font-weight: bold;
}
ul.toc li a {
	text-decoration: none;
}
ul.toc li a:hover {
	text-decoration: underline;
}
</style>
 <ul class="toc">
  <li class="header home"><a href="manual.html">Programmer's Reference Guide</a></li>
  <li class="header up"><a href="manual.html">Programmer's Reference Guide</a></li>
  <li class="header up"><a href="reference.html">Zend Framework Reference</a></li>
  <li class="header up"><a href="zend.acl.html">Zend_Acl</a></li>
  <li><a href="zend.acl.introduction.html">Introduction</a></li>
  <li class="active"><a href="zend.acl.refining.html">Refining Access Controls</a></li>
  <li><a href="zend.acl.advanced.html">Advanced Usage</a></li>
 </ul>
 </td>
    </tr>
</table>

<script type="text/javascript" src="../js/shCore.js"></script>
<script type="text/javascript" src="../js/shAutoloader.js"></script>
<script type="text/javascript" src="../js/main.js"></script>

</body>
</html>